itlawwikiaorg-20200214-history
Cyber threat
Overview A cyber threat can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources, including foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization. Unintentional threats can be caused by inattentive or untrained employees, software upgrades, maintenance procedures and equipment failures that inadvertently disrupt computer systems or corrupt data. Intentional threats include both targeted and nontargeted attacks. A targeted attack is when a group or individual specifically attacks a critical infrastructure system. A nontargeted attack occurs when the intended target of the attack is uncertain, such as when a virus, worm, or malware is released on the Internet with no specific target Repeatedly identified as the most worrisome threat is the "insider" — someone legitimately authorized access to a system or network. Other malefactors may make use of insiders, such as organized crime or a terrorist group suborning a willing insider (a disgruntled employee, for example) or making use of an unwitting insider (by getting someone with authorized network access to insert a disk containing hidden code, for example). Background on cyber threats Threats to the U.S. cyber and telecommunications infrastructure are constantly increasingPeter Eisler, "Reported Raids on Federal Computer Data Soar," USA Today (Feb. 17, 2009).http://www.usatoday.com/news/washington/2009-02-16-cyber-attacks_N.htm?csp=34 Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities. and evolving as are the entities that show interest in using a cyber-based capability to harm the nation’s security interests. Concerns have been raised since the 1990s regarding the use of the internet and telecommunications components to cause harm to the nation’s security interests. Activities producing undesirable results include unauthorized intrusion to gain access and view protected data, stealing or manipulating information contained in various databases, and attacks on telecommunications devices to corrupt data or cause infrastructure components to operate in an irregular manner. Of paramount concern to the national and homeland security communities is the threat of a cyber-related attack against the nation’s critical government infrastructures — “systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.”42 U.S.C. §5195c(e). Early concerns noted attacks on components of the energy grid, infrastructure control systems, and military equipment as examples of telecommunications-based threats to physical infrastructures.Of note, many of the cyber-related incidences that were found to have negatively affected control systems connected to physical infrastructure components were resolved as being the work of current or former employees who had access to and knowledge of the architecture of the affected network. In response, the Department of Energy conducted an experiment in 2007 in which the control system of an unconnected generator, containing similar components as that of larger generators connected to many power grids in the nation supplying electricity, was damaged and became inoperable.Jeanne Meserve, "Staged Cyber Attack Reveals Vulnerability in Power Grid," CNN online (Sep. 26, 2007).http://www.cnn.com/2007/US/09/26/power.at.risk/index.html#cnnSTCVideo. While data from federal agencies demonstrate that the majority of attempted and successful cyber attacks to date have targeted virtual information resources rather than physical infrastructures,See Center for Strategic and International Studies, Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency 12 (2008) ("we expected damage from cyber attacks to be physical (opened floodgates, crashing airplanes) when it was actually informational"). many security experts are concerned that the natural progression of those wishing to harm U.S. security interests will transition from stealing or manipulating data to undertaking action that temporarily or permanently disables or destroys the telecommunications network or affects infrastructure components. Many security observers agree that the United States currently faces a multi-faceted, technologically based vulnerability in that "our information systems are being exploited on an unprecedented scale by state and non-state actors in a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities, and weak situational awareness."House Permanent Select Committee on Intelligence, Cyber Security: Hearing on the Nation’ s Cyber Security Risks, 110th Cong. (Sept. 18, 2008) (statement of Paul Kurtz, Former Senior Director, Critical Infrastructure Protection, White House Homeland Security Council). This, coupled with security observers’ contention that the United States lacks the capability to definitively ascertain perpetrators who might unlawfully access a database or cause harm to a network, leaves the nation increasingly at risk. It also causes acts or discussions related to deterring cyberattacks to be ignored or negated by entities exploiting known or newly found vulnerabilities. Prominent national security experts have emphasized the vulnerability of U.S. infrastructures. As recently as January 2009, former Director of National Intelligence (DNI) Mike McConnell equated “cyber weapons” with weapons of mass destruction when he expressed concern about terrorists’ use of technology to degrade the nation’s infrastructure. In distinguishing between individuals gaining access to U.S. national security systems or corporate data for purposes of exploitation for purposes of competitive advantage, former Director McConnell noted that terrorists aim to damage infrastructure and that the “time is not too far off when the level of sophistication reaches a point that there could be strategic damage to the United States.”The Charlie Rose Show, "Interview of Mr. Mike McConnell, Director of National Intelligence," PBS, Jan. 8, 2009. Sources of cyber threats There are a variety of sources of cyber threats, includingGAO analysis based on data from the Director of National Intelligence, Department of Justice, the Central Intelligence Agency, and the Software Engineering Institute’s CERT Coordination Center.: * Botnetwork operators — Botnet operators use a network, or botnet, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made available on underground markets (e.g., purchasing a denial of service attack or servers to relay spam or phishing attacks). * Criminal groups — Criminal groups seek to attack systems for monetary gain. Specifically, organized criminal groups use spam, phishing, and spyware/malware to commit identity theft and online fraud. International corporate spies and criminal organizations also pose a threat to the United States through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent. * Foreign nation states — Foreign intelligence services use cyber tools as part of their information gathering and espionage activities. Also, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power. * Hackers — Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community, revenge, stalking others, and monetary gain, among other reasons. While gaining unauthorized access once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency, the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage. * Hacktivists — Those who make politically motivated attacks on publicly accessible web pages or e-mail servers. These groups and individuals overload e-mail servers and hack into websites to send a political message. * Insiders — The disgruntled insider, working from within an organization, is a principal source of computer crimes. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a victim system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes contractor personnel. * Phishers — Individuals, or small groups, execute phishing] schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware/malware to accomplish their objectives. * Spammers — Individuals or organizations distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware/malware, or attack organizations (i.e., denial of service attack). * Spyware/malware authors — Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several destructive computer viruses and worms have harmed files and hard drives, including the Melissa virus, the Explore.Zip worm, the CIH (Chernobyl) virus, Nimda worm, Code Red, Slammer worm, and Blaster worm. * Terrorists — Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. However, traditional terrorist adversaries of the United States are less developed in their computer network capabilities than other adversaries. Terrorists likely pose a limited cyber threat. The Central Intelligence Agency believes terrorists will stay focused on traditional attack methods, but it anticipates growing cyber threats as a more technically competent generation enters the ranks. Types of cyber threats Cyber threats can take the form of: * Distributed denial of service (DDOS) attack — attackers flood network resources to render physical systems unavailable or less than fully responsive for a period of time. * Rogue device — an unauthorized device accesses the system, manipulating it or providing incorrect data to system operators. * Reconnaissance attack — probing of a system to provide attackers information on capabilities, vulnerabilities, and operation. * Eavesdropping attack — violations of confidentiality of communication within a network. * Collateral damage — unplanned side-effects of cyber attacks. * Unauthorized access attack — an attack where the adversary exercises a degree of control over the system and accesses and manipulates assets without authorization. * Unauthorized use of assets, resources, or information — an attack in which assets, services, or data are manipulated by an authorized user in an unauthorized manner.Joe Weiss, "Control System Cyber Vulnerabilities and Potential Mitigation of Risk for Utilities" 3-4 (Juniper Networks, Inc. 2009). This can result in system operators being given inaccurate information from a “trusted” source, and thereby being misled into making decisions based on this data that result in impacts to the system. * Malicious code (Malware) — viruses, worms, and Trojan horses. Impact on critical infrastructure Cyber threats are asymmetric, surreptitious, and constantly evolving — a single individual or a small group anywhere in the world can inexpensively and secretly attempt to penetrate systems containing vital information or mount damaging attacks on critical infrastructures. There is increasing concern among both government officials and industry experts regarding the potential for a cyber attack on a national critical infrastructure, including the infrastructure’s control systems. The Federal Bureau of Investigation has identified multiple sources of threats to our nation’s critical infrastructures, including foreign nation states engaged in information warfare, domestic criminals, hackers, and virus writers, and disgruntled employees working within an organization. Threats to the U.S. cyber and telecommunications infrastructure are constantly increasingPeter Eisler, "Reported Raids on Federal Computer Data Soar," USA Today (Feb. 17, 2009).http://www.usatoday.com/news/washington/2009-02-16-cyber-attacks_N.htm?csp=34 Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), a Department of Homeland Security entity, found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities. and evolving as are the entities that show interest in using a cyber-based capability to harm the nation’s security interests. For more information on cyberattackers’ capabilities, see John Rollins & Clay Wilson, "Terrorist Capabilities for Cyberattack: Overview and Policy Issues" (CRS Report RL33123)http://www.fas.org/sgp/crs/terror/RL33123.pdf. Concerns have been raised since the 1990s regarding the use of the internet and telecommunications components to cause harm to the nation’s security interests. Activities producing undesirable results include unauthorized intrusion to gain access and view protected data, stealing or manipulating information contained in various databases, and attacks on telecommunications devices to corrupt data or cause infrastructure components to operate in an irregular manner. Of paramount concern to the national and homeland security communities is the threat of a cyber-related attack against the nation’s critical government infrastructures — “systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.”42 U.S.C. §5195c(e). For more on U.S. efforts to protect critical infrastructures, see John D. Moteff, "Critical Infrastructures: Background, Policy, and Implementation (CRS Report RL30153)http://www.fas.org/sgp/crs/homesec/RL30153.pdf. Early concerns noted attacks on components of the energy grid, infrastructure control systems, and military equipment as examples of telecommunications-based threats to physical infrastructures. References Category:Computer crime Category:Security